Logentries Docs

Find comprehensive guides and documentation to help you start and continue to work with Logentries.

    

Search results for "{{ search.query }}"

No results found for "{{search.query}}".
View All Results

Apache & Nginx Structure

Logentries will automatically identify and index fields within your Apache and Nginx log events. Keys are automatically highlighted in search. You can select a field suggested in the search bar to allow for quick searching of across your data.

Parsing

If we take a normal Apache log example in this format:

192.0.2.1 - Ultan [07/Mar/2004:16:43:54 -0800] "GET /unencrypted_password_list HTTP/1.1" 404 9001 "http://passwords.hackz0r" "Mozilla/4.08 [en] (Win95)"

We know that the format of apache access logs are:

*addr* - *user* *timestamp* "*method* *path* *version*" *status* *bytes* *referrer* *agent*

And you’ll be able to parse those implied keys immediately for groupby queries and calculations. So from the example above:

Implied Key
Value

addr

192.0.2.1

user

Ultan

timestamp

[07/Mar/2004:16:43:54 -0800]

method

GET

path

/unencrypted_password_list

version

HTTP/1.1

status

404

bytes

9001

agent

wouternieman@gmail.com

Using this data allows easier log searching, for example you can now carry out queries such as:

You can see when a referrer comes from a certain site with:

where(referrer="http://passwords.hackz0r")

You can see what urls are hit most often with

groupby(path) calculate(count) sort(desc)

You can see the average bytes sent with

calculate(average:bytes)

You can see which addresses you get hit from the most often with

calculate(count:addr) sort(desc)

Apache & Nginx Structure